Privacy advocates find Obama proposal lacking

A consumer privacy proposal from U.S. President Barack Obama's administration gives people too little control over their personal data and companies too much latitude to use that information, a coalition of 14 privacy and digital rights groups said.

The Obama administration's consumer privacy bill of rights, released late Friday, allows companies holding personal data to determine whether consumers should be able to demand changes to the information, the groups said in a letter to Obama, sent Tuesday.

The White House proposal contains several "shortcomings," said the groups, including the Center for Democracy and Technology, Consumer Watchdog, Public Knowledge and the Electronic Frontier Foundation.

Among the problems: The proposal appears to allow companies holding personal data to limit consumer control over it based on the companies' assessment of risk to personal privacy or their decision that they hold the data in a manner that is "reasonable in light of context," according to its text.

The proposal seems to be designed to give consumers "minimal control" based on what data companies think they should hold, said Susan Grant, director of consumer protection for the Consumer Federation of America, one of the groups signing onto the letter. "It just doesn't seem to be pro-consumer."

The proposal would allow industries to propose their own privacy codes of conduct, with the U.S. Federal Trade Commission getting 90 to 120 days to review those codes before they go into effect. With the FTC potentially getting hundreds of codes of conduct to review, the White House proposal fails to give the agency adequate resources to deal with the new workload, the groups said.

"The Obama privacy bill is a digital house of cards -- a political version of a magician's trick," Jeffrey Chester, executive director of the Center for Digital Democracy, said by email. "It appears to give consumers control. But the crux of the bill is that the very companies that now freely collect all our data get to set all the new rules, through so-called codes of conduct."

The FTC isn't given clear authority to critically review the proposed codes, Chester added. "How can it conduct an effective analysis, place the issue for public comment, and arrive at a reasonable decision with an ever-beating, 90-day alarm clock aimed at it?" he said.

Representatives of the White House didn't immediately respond to requests for comment on the letter. The White House, on Friday, said the proposal was intended to give consumers more control over their personal information.

The proposal would require U.S. businesses and nonprofits that collect personal data to describe their privacy and security practices and give consumers control over their personal information in some cases.

But the proposal "falls short" of the goal of creating a powerful framework to protect personal privacy, the privacy groups said in their letter. Grant called the consumer protections in the proposal "squishy."

The Obama proposal includes "broad exceptions" from privacy protections for large categories of personal information, including business records, cyberthreat indicators and data "generally available to the public," the privacy groups noted. The exception on business records creates concerns about data collection by the U.S. National Security Agency, which has targeted business records in some of its surveillance programs, critics said.

The White House plan also doesn't give consumers the ability to correct most records held by data brokers, the groups said. The proposal would require companies to provide consumers a means to dispute and correct the accuracy of personal data, but the mechanism for disputing or correcting information isn't specified, but instead "shall be reasonable and appropriate for the privacy risks and the risk of an adverse action against an individual," according to the text.

The provision for consumers to access their records from online companies and data brokers was "deliberately written -- I believe by industry -- to make it difficult for most consumers to access and correct their file," Chester said. "It's just another example of why this privacy plan ... is a love letter to the data lobby."

While the privacy groups criticized the proposal as offering weak protections for consumers, some business groups said the plan would create too many regulations for businesses.

Several existing laws already provide strong privacy protections to consumers, said the Association of National Advertisers, a trade group. The proposal "unfortunately is a major step in the wrong direction," ANA group executive vice president Dan Jaffe wrote in a blog post. "It will divert attention and energy from critical data security legislation and will not materially aid the privacy debate."

The proposal, coupled with the Obama administration's support of new net neutrality rules, amounts to an attack on the open Internet, added TechFreedom, a free market think tank. The proposal would "fundamentally change the way Internet businesses work," Berin Szoka, the think tank's president, said by email.

The proposal would have no impact on ongoing government surveillance programs, Szoka added. "It takes real chutzpah for the White House to talk about a Consumer Privacy Bill of Rights when the real Bill of Rights has never been more under siege -- and this administration has done precious little to defend them," he said.

Grant Gross covers technology and telecom policy in the U.S. government for The IDG News Service. Follow Grant on Twitter at GrantGross. Grant's email address is grant_gross@idg.com.

Cyber resilience will be particularly important as Australian organisations face increased pressure to quickly detect, respond to, and manage the repercussions of breaches in the wake of 2018’s Notifiable Data Breaches (NDB) scheme.

Copyright 2018 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.